[PATCH] Re: Implement SSL certificate checking

[Sebastian Spaeth]

On Wed, 15 Dec 2010 12:09:11 +0100, Johannes Stezenbach <js at sig21.net> wrote:
> That is not true.  Read the documentation:
> http://docs.python.org/release/2.6.6/library/ssl.html
> 
>   the ca_certs parameter must point to a file of CA certificates.

Yep, know that.

> Do you realize that there is a difference between a CA certificate
> and a server certificate?

Yep.

> The usual and intended usage of ca_certs is to point to the
> database of all trusted CA certificates, in Debian
> /etc/ssl/certs/ca-certificates.crt (which can be
> configured using "dpkg-reconfigure ca-certificates").
> 
> But even if you have only one cert in your ca_certs file
> it is still a CA cert and not the server cert.

Right, but in case you trust the CA cert that you point the
configuration to, it is just as well. I agree that pointing this to all
possible CA certs on the system would make the protection much weaker,
although not worse than what all web browser do now, as you you point
out.

Storing the server certificate and accepting that permanently would be a
good thing. And we should strive for it. But we can go for that after we
make sure we are not thrown out of Debian, which I would find very
unfortunate. Baby steps.

> > That having said, I would love to get that certificate from the server
> > and just have it be remembered, like mutt does. I have no clue how that
> > would be done though.

> I suppose SSLSocket.getpeercert(binary_form=True).
> You can use ssl.DER_cert_to_PEM_cert() to convert it to ASCII
> for storing it into a file (better avoid to store the
> binary DER certificate).
> 
> The fingerprint is the MD5 or SHA1 on the binary DER.
> It should be the same as the output of
>   openssl x509 -noout -sha1 -fingerprint -in cert.in
>   openssl x509 -noout -md5 -fingerprint -in cert.in

That is good hints, thanks. I think we should pursue this way and
offer it as an alternative to the CA cert checks.

Sebastian